<?php
namespace lib\rule;

/**
 * 参数转义类
 * Class ParametHandle
 * @package lib\rule
 */
class ParametHandle {
    var $getfilter = "<[^>]*?=[^>]*?&#[^>]*?>|\\b(alert\\(|confirm\\(|expression\\(|prompt\\()|<[^>]*?\\b(onerror|onmousemove|onload|onclick|onmouseover)\\b[^>]*?>|^\\+\\/v(8|9)|\\b(and|or)\\b\\s*?([\\(\\)'\"\\d]+?=[\\(\\)'\"\\d]+?|[\\(\\)'\"a-zA-Z]+?=[\\(\\)'\"a-zA-Z]+?|>|<|\s+?[\\w]+?\\s+?\\bin\\b\\s*?\(|\\blike\\b\\s+?[\"'])|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)";
    var $postfilter = "<[^>]*?=[^>]*?&#[^>]*?>|\\b(alert\\(|confirm\\(|expression\\(|prompt\\()|<[^>]*?\\b(onerror|onmousemove|onload|onclick|onmouseover)\\b[^>]*?>|\\b(and|or)\\b\\s*?([\\(\\)'\"\\d]+?=[\\(\\)'\"\\d]+?|[\\(\\)'\"a-zA-Z]+?=[\\(\\)'\"a-zA-Z]+?|>|<|\s+?[\\w]+?\\s+?\\bin\\b\\s*?\(|\\blike\\b\\s+?[\"'])|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)";
    var $cookiefilter = "\\b(and|or)\\b\\s*?([\\(\\)'\"\\d]+?=[\\(\\)'\"\\d]+?|[\\(\\)'\"a-zA-Z]+?=[\\(\\)'\"a-zA-Z]+?|>|<|\s+?[\\w]+?\\s+?\\bin\\b\\s*?\(|\\blike\\b\\s+?[\"'])|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)";
    var $sessionfilter = "";

    public function get($key = '',$default='')
    {
        $resData = $key ? $this->getRequestWithoutAttack($this->getfilter, "GET", $key) : $this->getRequestWithoutAttack($this->getfilter, "GET");
        return $resData?$resData:$default;
    }

    public function post($key = '',$default='')
    {
        $resData = $key ? $this->getRequestWithoutAttack($this->postfilter, "POST", $key) : $this->getRequestWithoutAttack($this->postfilter, "POST");
        return $resData?$resData:$default;
    }

    public function session($key = '')
    {
        return $key ? $this->getRequestWithoutAttack($this->sessionfilter, "SESSION", $key) : $this->getRequestWithoutAttack($this->sessionfilter, "SESSION");
    }

    private function getRequestWithoutAttack($filter, $method, $key = '')
    {
        switch($method)
        {
            case "GET":
                return @isset($key) && !empty($key) ? $this->stripAttackKey($filter, $_GET[$key]) : $this->stripAttackKey($filter, $_GET);
                break;
            case "POST":
                return @isset($key) && !empty($key) ? $this->stripAttackKey($filter, $_POST[$key]) : $this->stripAttackKey($filter, $_POST);
                break;
            case "SESSION":
                return @isset($key) && !empty($key) ? $this->stripAttackKey($filter, $_SESSION[$key]) : $this->stripAttackKey($filter, $_SESSION);
                break;
            default:
                return @isset($key) && !empty($key) ? $this->stripAttackKey($filter, $_GET[$key]) : $this->stripAttackKey($filter, $_GET);
        }

        return false;
    }

    private function stripAttackKey($filter, $arr) {
        if(is_array($arr))
        {
            // array_map(array($this, "stripAttackKey"), $filter, $arr);
            foreach($arr as $k => $v)
            {
                $arr[$k] = $this->stripAttackKey($filter, $v);
            }

            return $arr;
        }
        else
        {
            $arr = rawurldecode($arr);
            $arr = $this->fliter_script($arr);
            // return htmlspecialchars(preg_replace("/".$filter."/is", "", $arr)) ;
            return preg_replace("/".$filter."/is", "", $arr) ;
        }
    }

    private function fliter_script($str){
        $farr = array(
            // "/\s+/", //过滤多余的空白
            "/<(\/?)(script|i?frame|style|html|body|title|link|object|meta|\?|\%)([^>]*?)>/isU", //过滤 script等恶意代码,还可以加入object的过滤flash
            "/(<[^>]*)on[a-zA-Z]+\s*=([^>]*>)/isU", //过滤javascript的on事件
        );
        $tarr = array(
            // " ",
            "＜\\1\\2\\3＞", //如果要直接清除不安全的标签，这里可以留空
            "\\1\\2",
        );
        $str = preg_replace( $farr,$tarr,$str);
        return $str;
    }


}